Hands down one of the best SANS courses I have taken. Learned cutting edge pentesting techniques in a hands-on environment that challenged my abilities and increased overall knowledge.

Dave Odom, Bechtel

SANS SEC561. To be a top pen test professional, you need fantastic hands-on skills for finding, exploiting, and resolving vulnerabilities.SANS top instructors engineered SANS SEC561: Intense Hands-on Pen Testing Skill Development from the ground up to help you get good fast. The course teaches in-depth security capabilities through 80%+ hands-on exercises and labs, maximizing keyboard time on in-class labs making this SANS' most hands-on course ever. With over 30 hours of intense labs, students experience a leap in their capabilities, as they come out equipped with the practical hands-on skills needed to address today's pen test and vulnerability assessment projects in enterprise environments.

To get the most out of this course, students should have some prior hands-on vulnerability assessment or penetration testing experience (minimum 6 months) or have taken at least one other penetration testing course (such as SANS SEC504, SEC560, or SEC542). The course will build on that background, helping participants ramp up their skills even further across a broad range of penetration testing disciplines.

Throughout the course, an expert instructor coaches students as they work their way through solving increasingly demanding real-world information security scenarios that they can apply the day that they get back to their jobs.

Evading Anti-Virus tools and bypassing Windows UAC to understand and defend against these advanced techniques

Honing phishing skills to evaluate the effectiveness of employee awareness initiatives and your organization's exposure to one of the most damaging attack vectors widely used today

A lot of people can talk about these concepts, but this course teaches you how to actually do them hands-on and in-depth. The SANS SEC561 course shows security personnel including penetration testers, vulnerability assessment personnel, auditors, and operations personnel how to leverage in-depth techniques to get powerful results in every one of their projects. The course is overflowing with practical lessons and innovative tips, all with direct hands-on application. Throughout the course, students interact with brand new, custom-developed scenarios built just for this course on the innovative NetWars challenge infrastructure, which guides them through the numerous hands-on labs providing questions, hints, and lessons learned as they build their skills.

Course Syllabus

SEC561.1: Security Platform Analysis

Overview

The first day of the course prepares students for real-world security challenges by giving them hands-on practice with essential Linux and Windows server and host management tools. First, students will leverage built-in and custom Linux tools to evaluate the security of host systems and servers, inspecting and extracting content from rich data sources such as image headers, browser cache content, and system logging resources. Next, students will turn their focus to performing similar analysis against remote Windows servers using built-in Windows system management tools to identify misconfigured services, scrutinize historical registry entries for USB devices, evaluate the impact of malware attacks, and analyze packet capture data. By completing these tasks, students build their skills in managing systems, applicable to post-compromise system host analysis, or defensive tasks such as defending targeted systems from persistent attack threats. By adding new tools and techniques to their arsenal, students are better prepared to complete the analysis of complex systems with greater accuracy in less time.

CPE/CMU Credits: 6

Topics

Linux Host and Server Analysis

Identifying users and permission exposure

File system data harvesting from common applications

Network traffic analysis and data extraction techniques

File and malware analysis tools

Windows Host and Server Analysis

Remote registry analysis for use analysis

Vulnerability targeting from system patch analysis and reporting

Client-side exploitation data artifact analysis

Windows malware executable analysis

Windows file system and permission management analysis

SEC561.2: Enterprise Security Assessment

Overview

In this section of the class, students investigate the critical tasks for a high-quality penetration test. We will look at the safest, most efficient ways to map a network and discover target systems and services. Once the systems are discovered, we look for vulnerabilities and reduce false positives with manual vulnerability verification. We will also look at exploitation techniques including the use of the Metasploit Framework to exploit these vulnerabilities, accurately describing risk and further reducing false positives. Of course, exploits are not the only way to access systems, so we also leverage password related attacks including guessing and cracking techniques to extend our reach for a more effective and valuable penetration test.

SEC561.3: Web Application Assessment

Overview

This section of the course will look at the variety of flaws present in web applications and how each of them is exploited. Students will solve challenges presented to them by exploiting web applications hands-on with the tools used by professional web application penetration testers every day. The websites students attack mirror real-world vulnerabilities including Cross-Site Scripting (XSS), SQL Injection, Command Injection, Directory Traversal, Session Manipulation and more. Students will need to exploit the present flaws and answer questions based on the level of compromise they are able to achieve.

CPE/CMU Credits: 6

Topics

Recon and Mapping

Identification of target web applications

Directory brute-forcing

Manual creations of web requests

Web application scanning and exploitation tools

Server-side Web Application Attacks

SQL injection

Command injection

Directory traversal

Client-side Web Application Attacks

Cross-site scripting

Cross-site request forgery

Cookie and session manipulation

Web Application Vulnerability Exploitation

Evaluating logic flaws in popular web applications

Leveraging public exploits against web application infrastructure

SEC561.4: Mobile Device and Application Analysis

Overview

With the accelerated growth of mobile device use in enterprise networks, organizations find an increasing need to identify expertise in the security assessment and penetration testing of mobile devices and the supporting infrastructure. In this component of the course, we examine the practical vulnerabilities introduced by mobile devices and applications, and how they relate to the security of the enterprise. Students will look at the common vulnerabilities and attack opportunities against Android and Apple iOS devices, examining data remnants from lost or stolen mobile devices, the exposure introduced by common weak application developer practices, and the threat introduced by popular cloud-based mobile applications found in many networks today.

CPE/CMU Credits: 6

Topics

Mobile Device Assessment

Extracting data from mobile application network activity

Passive mobile device identification and fingerprinting

Mobile device wireless behavior analysis

Exploiting Mobile Device Management (MDM) system controls

Mobile Device Data Harvesting

Bypassing passcode authentication on mobile devices

Leveraging compromised hosts for mobile device backup data recovery

Extracting GPS and cell tower history from mobile devices for location tracking

Exploiting common password disclosure data sources

Mobile Application Analysis

Reverse-engineering Android applications

De-obfuscating mobile application malware

Static and dynamic automated application analysis systems

SEC561.5: Advanced Penetration Testing

Overview

This portion of the class is designed to teach the advanced skills required in an effective penetration test to extend our reach and move through the target network. This extended reach will provide a broader and more in-depth look at the security of the enterprise. We will utilize techniques to pivot through compromised systems using various tunneling/pivoting techniques, bypass anti-virus, and built-in commands to extend our influence over the target environment and find issues that lesser testers may have missed. We will also look at some of the common mistakes surrounding poorly or incorrectly implemented cryptography and ways to take advantage of those weaknesses to access systems and data that are improperly secured.

CPE/CMU Credits: 6

Topics

Anti-Virus Evasion Techniques

Manipulating exploits to bypass signature-based anti-virus tools

Leveraging packers and obfuscators

Altering tools to evade heuristic analysis engines

Advanced Network Pivoting Techniques

Protected network infrastructure tunneling with SSH

Remote proxy exploits with proxychains

Host redirection with Meterpreter host routing

Exploiting Network Infrastructure Components

Routing infrastructure manipulation attacks

Manipulating hosts through network management interfaces

Exploiting Cryptographic Weaknesses

Applying oracle padding attacks against web applications

Using entropy analysis to identify weak cryptography

Decrypting stream cipher data without key knowledge

SEC561.6: Capture the Flag Challenge

Overview

This lively session represents the culmination of the course, where attendees will apply the skills they have mastered throughout all the other sessions in a hands-on workshop. Attendees will participate in a larger version of the exercises present in the class to independently reinforce skills learned throughout the course.

Attendees will apply their newly developed skills to scan for flaws, use exploits, unravel technical challenges, and dodge firewalls, all while guided by the challenges presented to you by the NetWars Scoring Server. By practicing the skills in a combination workshop where multiple focus areas are combined, participants will have the opportunity to explore, exploit, pillage, and continue to reinforce skills against a realistic target environment.

CPE/CMU Credits: 6

Additional Information

Laptop Required

Throughout the course, students will participate in hands-on lab exercises. Students must bring their own laptops to class that meet the requirements described below.

Windows

Students must bring a Windows 7, Windows Vista, or Windows XP laptop to class, preferably running natively on the system hardware. It is possible to complete the lab exercises using a virtualized Windows installation, however, this will result in reduced performance when running device emulators within the virtualized Windows host. If you are a Windows XP user, make sure you also have the .NET 3.5 framework installed, which can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=21 .

Administrative Windows Access

For several tools utilized in the course, students will be required to perform actions with administrative privileges. Students must have administrative access on their Windows host, including the ability to unload or disable security software such as anti-virus or firewall agents as necessary for the completion of lab exercises.

VMware

Students will use a virtualized MobiSec Linux VMware guest for several lab exercises. VMware Workstation or VMware Player is recommended. Note that there is no cost associated with the use of VMware Player, which can be downloaded from the VMware website.

While some students successfully use VMware Fusion for the exercises, the relative instability of VMware Fusion may introduce delays in exercise preparation, preventing the timely completion of lab exercises. VirtualBox and other virtualization tools are not supported at this time.

Hardware Requirements

Several of the software components used in the course are hardware intensive, requiring more system resources than what might be required otherwise for day-to-day use of a system. Please ensure your laptop meets the following minimum hardware requirements:

Minimum 2 GB RAM, 4 GB recommended

Ethernet (RJ45) network interface; students will not be able to complete lab exercises with systems that only have a wireless card, such as the Mac Book Air

1.5 GHz processor minimum

30 GB free hard disk space

DVD drive (not a CD drive)

Minimum screen resolution 1024x768, larger screen resolution will reduce scrolling in for several applications and a more pleasant end-user experience

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Security professionals who want to expand their hands-on technical skills in new analysis areas such as packet analysis, digital forensics, vulnerability assessment, system hardening, and penetration testing

Systems and network administrators who want to gain hands-on experience in information security skills to become better administrators

Incident response analysts who want to better understand system attack and defense techniques

Forensic analysts who need to improve their analysis through experience with real-world attacks

Penetration testers seeking to gain practical hands-on experience for use in their own assessments

Prerequisites

To get the most out of this course, students should have some prior hands-on vulnerability assessment or penetration testing experience (minimum 6 months) or have taken at least one other penetration testing course (such as SANS SEC504, SEC560, or SEC542). The course will build on that background, helping participants ramp up their skills even further across a broad range of penetration testing disciplines.

What You Will Receive

Course book

Daily lab answer books detailing all the course challenge exercises

Course DVD and associated software, files, and analysis resources

You Will Be Able To

Use network scanning and vulnerability assessment tools to effectively map out networks and prioritize discovered vulnerabilities for effective remediation

Author Statement

In creating this course, we focused on getting as much practical, hands-on skill building into the classroom as possible. Each day begins with a short briefing on the technical topics students will work on throughout the day. Then, students build their skills analyzing real-world target systems in the classroom. When students walk out of the class, they'll have mastered over 100 new techniques for finding, exploiting, and then fixing security flaws. Just as aircraft pilots needs more "stick" time learning how to fly, this course provides penetration testers and other security professionals real-world hands-on experience they need to excel in their work. -Josh Wright